A Guide to Understand the OdaTV Trial – 2: Were the digital documents sent through virus activities?

The soL news portal published a series of articles concerning the background and the ongoings of the infamous OdaTV case. Signed Yiğit Günay, the articles investigate the trial’s judicial peculiarities as well as its political context and historical implications. Assuming the responsibility of providing English information on Turkey with a political perspective that is compatible with our stance, we decided to translate these articles for the English-speaking audience.

In this second part of our article series on the Odatv case, we discuss if the documents claimed to be gathered from Odatv computers were embedded there through virus activities. As a matter of fact, whether they are sent through virus activities or not, the journalists should be released immediately.

The last expert investigation from the US is now complete. It states that the documents are infected. Are they really infected or not?

We should all be clear about one thing: It does not matter at all whether these documents are infected or not!

First: According to the Law on Criminal Procedures and the principles of international law, nobody can be detained on the basis of evidence by digital documents in the absence of an expert report. Second: Even when there is an expert report, digital evidence does not form a basis for the detainment, yet they can only be secondary evidence. Lawyer Serkan Günel explained me that “you first demonstrate all the connections of a person, and only then consider digital documents as supporting evidence.”

In our first article, we showed that the indictment constantly refers to the digital documents and that there is no concrete evidence for the activities of a “terrorist organization”.

Let us now focus on the most “suspect-able” person in the group: Kaşif Kozinoğlu. He was not able to survive the long period under arrest – which has become the trendy execution method lately. He was accused of providing confidential documents for “the organization”. And the only evidence for this are that one of the digital documents is named as “kozinoğlu3” and that there is a sentence in the document “koz.doc” stating “Let us bring up the documents obtained from Kozinoğlu about the congregation1 operations in Russia and Uzbekistan, and evaluate the other documents Kozinoğlu gave.” By using only this document, the indictment argues that “it is understood that the suspect Kaşif Kozinoğlu is in contact with and delivered information to Soner Yalçın.”

Any concrete relation between Kaşif Kozinoğlu and Soner Yalçın (or anyone else)? No. Phone calls? A meeting somewhere? Absolutely nothing. There is just this document named after Kozinoğlu. We emphasized this in a news item published in soL, but what if Kaşif Kozanoğlu’s name were a very common name like Mehmet Yılmaz? It is a piece of cake to create a document in the computer. One of the documents has your name, and the other one mentions you. No concrete evidence, and you find yourself under arrest.

This is only one of the examples. It gets even more complicated in the cases of Ahmet Şık and Nedim Şener.

Asst. Prof. Dr. Barış Erman (Faculty of Law , İstanbul Bilgi University) explains this situation in an interview to HaberVs: “If something is not one of the key elements of crime, it is called an “indication”. It is not and should not be possible to detain somebody based on indications. Let me put it this way: For instance, if I threaten somebody on the phone, then I commit a crime on the phone. A record of that phone call can be considered as evidence of my crime. (…) However, if I say “I threatened someone.” on the phone, this is not an element of crime because I am not committing any of the key elements of crime on that phone call. It is an indication of crime, but it is not the crime itself. The same applies for digital data.”

The main inconvenience here is that the prosecutor, i.e. the claimant, was supposed to prove that the suspect committed a crime but that process is now reversed in Turkey: now, the detained have to prove they are innocent. So – we should repeat this over and over – all the arrested journalists should be released immediately due to lack of evidence.

The story of the expert reports stating that “the documents are infected”

Now comes the virus issue…

Right after the first operation on February 14 when Soner Yalçın, Barış Pehlivan and Barış Terkoğlu were arrested, the lawyers of the journalists expressed doubts on the digital documents, the only evidence against the accused. So the lawyers took the document to the Computer Engineering Department in Boğaziçi University and asked for an expert report.

Let us open a parenthesis here to elaborate on the seizure of the digital documents. In a police raid, the police is supposed to copy all the content in the computers at the location, take the copy, and leave the original and a copy of the original for the suspect. Normally, this same procedure applies to all documents obtained from CDs or harddisks, but this did not happen. Fortunately, the “digital documents” were not found in a CD. If the claims are true, then the police used a more advanced method so that instead of embedding any ‘data’ they brought with themselves, they sent the documents through virus activities. (By the way, the lawyer Hüseyin Ersöz conveyed to me that according to a police officer from Istanbul PD Anti-Terror Section, the Anti-Terror Section has only 4 of those copying devices and there are 4 more in the Cyber-Crimes Section. So, the whole Istanbul Police Department has only 8 copying devices. In today’s Turkey where journalists – and other “suspects” – are put in jail in 20-30 people at a time, it is practically impossible for the police to follow the required procedures in order to use digital documents as legally valid evidence.)

Was Ahmet Şık’s book confiscated in order to inhibit expert reports?

We say “if the claims are true”, yet these claims are verified by four different expert reports. Let us return to our main discussion. The lawyers gave the copy to Boğaziçi University. An investigation was launched under the supervision of Prof. Dr. Ufuk Çağlayan. When Çağlayan just finished the preliminary examination, on March 23, the prosecution decided to seize drafts of Ahmet Şık’s not yet published book. The police carried out raids into several locations where they thought they could find copies of the book. While it was itself scandalous that they confiscated a non-published book from the market, there was another eye-catching point in the prosecution’s directions. According to the orders of the prosecutor Zekeriya Öz, anyone who had a copy of the book would count as committed the crime of aiding the terrorist organization.

After this matter, Prof. Dr. Ufuk Çağlayan delivered the copies without even waiting for the police to come and take them. So, the Odatv lawyers were deprived their rights to prove their claims on virus activities.

Reconsidering the events today, the question arises as to whether the prosecutor’s order aimed at blocking the expert report. Odatv lawyers expressed their concerns in that direction. It is clear that an almost finished book that has been shared with several friends cannot be destroyed. Thusly, an electronic copy of the book was soon uploaded to a website and the prosecutor’s order became inoperative. (Months later, the book was published and no one raised a voice against it.)

While Ufuk Çağlayan delivered the copy to the police, he finished his preliminary examination. In his examination, Çağlayan points out there is a strong suspicion that these “confidential documents” were sent to the computer by a virus attached in an email and that this email deleted itself soon after the download.

As we said previously, detainment on the basis of digital documents is not acceptable. But it is even less acceptable for the detained to stay in jail when there is an expert opinion against the reliableness of the documents.

METU says “virus”.

Nevertheless, the court did not release the detained. Then the lawyers of Müyesser Yıldız, another employee of Odatv, sent the copies in her computers to Middle East Technical University (METU). In Yıldız’s computer, the documents such as “Ulusal Medya 2010” (National Media 2010) and “Hanefi.doc” were found, but she did not have a copy of the book “İmamın Ordusu” (The Imam’s Army, Ahmet Şık’s book mentioned above – translator’s note). Hence the lawyers did not deliver this copy to the police.

The report prepared by the faculty members Prof. Dr. Göktürk Üçoluk and researcher Gökdeniz Karadağ in the Computer Engineering department of METU reads as follows:

It is possible to secretly transfer documents to a computer while taking a copy. (This statement verifies our claims. Digital documents are not reliable and therefore cannot constitute sufficient evidence. But instead, today’s twisted mentality asks the suspects to prove not-guilty.)

Thus, we observed that the documents were not created on October 4th, 2010 as seen at the first sight but on February 14th, 2011. (Looking carefully, this is date of the first operation when Yalçın, Pehlivan and Terkoğlu were arrested but there was no legal action against Müyesser Yıldız.)

The computer is adjusted so that it can be controlled from outside via a virus.

These viruses were sent from chptbmm@gmail.com.

Although this mailing address resembles the official address of the CHP2 and has the gmail extension, it is sent via the jangomail servers.

Meanwhile, the Odatv lawyers were trying to take back the other computer images by arguing that the upload of Ahmet Şık’s book online has made the withdrawal order inoperative. Finally, the court accepted the applications. But the images were delivered 42 days later than this decision. Apparently, some people were trying to delay the investigations, or perhaps getting prepared for something else.

The similarities in the report from the US about “CHP” and “Jangomail”

The lawyers sent the copies to experts again. The investigation of Yıldız Technical University confirmed that the documents were sent through virus activities. However, the lawyers had sent the copies to a juridical IT company in the US as well. The results were announced yesterday (December 25th – translator’s note). In the report, Joshua Marpet, the executer of the investigation, made a time-line of the copy. He spotted documents with no date on them. Examining closely, he saw similar documents that do have dates and concluded that they are the residues of these. But some of them were very suspicious. Marpet remarked that especially the documents that end with the commandsed.exe and grep.exe were most likely placed by the creator of the virus, since these lines do not belong to Windows but to Unix- or Linux-based operating systems. Marpet also found numerous “badwares” such as viruses, trojans and worms. Some of these were complex and of a rare type. In this context, Marpet expressed that “The Odatv computers were seized and the owners were not allowed to take the machine back.”

Afterwards, Marpet examined the features of the viruses and concluded that the computer was not infected by a general virus attack but was specifically targeted at. And then, we focused on how this targeting occurred. He determined that the viruses are sent via email and probably through the documents “Ataturk_ekrankoruma.scr” (Ataturk_screensaver.scr) and “Duyuru.pdf” (Announcement.pdf). Interestingly, both of these documents were seized from Barış Terkoğlu’s email address and were sent from “basinbirimi@chp.org.tr” (mediasection@chp.org.tr). However, Marpet realized that the offical chp.org.tr website uses “bmx.is.net.tr” servers for webmail services whereas the emails were sent to Terkoğlu through “jangomail” servers.

That is to say, the reports from METU and the US agree that the viruses were sent by a common method. The infected emails were sent to Müyesser Yıldız and Barış Terkoğlu from email addresses that resemble CHP’s official addresses and that use jangomail servers. Hence we may conclude that there is the same agency behind these virus activities.

The arguments of the partisan media

Well, these all were the work of independent expert committees. There is also the “indictment” front. In the first investigation, Ufuk Çağlayan from Boğaziçi University (who returned the copies due to book-withdrawal orders) expressed in his preliminary examination that there is strong suspicion for virus activities. On April 10th, Zaman3 published a news item emphasizing that “It has been neglected that the expert report says ‘The hard disk of the computer could not be examined.’” Of course, it was not the defendants but the prosecution that should have proved the evidence to be valid under such suspicions. The presumption of innocence was forfeited, and it became ‘innocence’ which was to be proven now.

Afterwards, in September, Zaman interviewed Ufuk Çağlayan on the phone and published a news item quoting “I said this is not how a report is prepared.” where Çağlayan explains that his investigation was incomplete. Zaman also broad-casted the sound record of the phone call. As can be guessed, Çağlayan was once again stating that his investigation was incomplete because the copy was seized. But Çağlayan was uneasy that his name appeared in media so frequently, so he didn’t continue the debate later on.

The indictment was made public in September and it stated “(…) the Technical Report is not based on the examination of the copy of the digital media, comments that are based on assumptions do not constitute a juridical IT investigation…” so as to override the expert report from Boğaziçi. This adds to the suspicions about the link between the book confiscation and seizure of the copies.

As for the METU report on Müyesser Yıldız’s computer, the Ministry of Interior said that according to their expert report it is not possible to embed a data on a computer during the copying process and that the mentioned documents were opened several times before the police raid.

A police set-up?

We shall now mention two significant events that took place meanwhile. First, we shall have a glance at what happened to Müyesser Yıldız. When taken into custody, she was asked about the “Ulusal Medya 2010” document in her interrogation. The proceedings of the interrogation reads that she was interrogated “about the ‘Ulusal Medya 2010′ document that was found in your computer”. Again according to the proceedings, they give many details about the document. Now, this interrogation ended on March 6th, at 12:30 am. Ten minutes after, at 12:40 am, the proceedings were handed to the lawyer. But the search of Müyesser Yıldız’s computers ended (and therefore these documents were obtained) at 1:00 am. If all these times are correct, how did the police know what was in Yıldız’s computers?

There is another one, told by the lawyer Serkan Günel: “In the police interrogation [after the first operation], we were asked about the news items, the meetings of Soner Yalçın with the others, and the reunions. But in the prosecution period, they had a call from the police saying there is more evidence. In Odatv offices, since the times of the documentary ‘Oradaydım’ (I Was There), there should be at least some 2-3 Tera-bytes of data. It is impossible to skim them in one month. Well, when they told us “We checked the evidence, you may now take those that have no elements of crime”, it was already 6 months anyway. You are finished with searching for evidence in 6 months, but somehow you happened to find a word document that is the source of all the charges within the very first 2 days?”

These two details point out to the possibility that the documents, which are reported to be sent through virus activities by 4 different expert reports, were loaded by a police set-up.

While the second hearing will begin today (December 26th) and the detained will give their defense, we will examine other perspectives of the case in our next articles.